Safeguarding your information with ISO/IEC 27001
ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation.
It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.
The requirements set out in ISO/IEC 27001:2022 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.
- Listen to our latest webinar on ISO/IEC 27001 certification HERE -
ISO/IEC 27001:2022 – what is new?
There are minor changes in the updated version of ISO 27001 aligning with the 2022 version of the ISO 27002. The main changes include
- Modified title,
- Simplified wording and structure,
- Enhanced controls in Annex A of the document to match those listed in ISO 27002:2022. The controls in Annex A have reduced from 114 controls in 14 control categories to 93 controls in 4 control categories.
Furthermore, there are 11 new controls, 24 controls have merged from the existing controls, and 58 controls have been updated.
These changes are illustrated in the infographic below
What does it mean for you?
The updated version of ISO 27001 may have an impact on certified organisations. To name what the impact is, it is necessary to perform a gap analysis between the previous and new controls applicable to the organisation. This may include the following activities:
- Updating of the statement of applicability (SoA);
- If applicable, update the risk treatment plan and the implementation of added controls.
After Friday 31st October 2025 all I.S. EN ISO/IEC 27001:2017 certificates will expire, and certification formally withdrawn. Your organisation will be required to update its ISMS in-line with the revised requirements and successfully complete the transition to ISO/IEC 27001:2022. You can find out more about the transition here.
Benefits of implementing ISO/IEC 27001:
- reputational damage caused by ineffective security
- compliance with legislation and stakeholder needs and expectations
- enables secure exchange of information
- win new business and retain existing clients
- increased credibility when tendering for contracts
- expand into global markets
- demonstrates best practice
3. Cost reduction
- reduce risk of suffering a data breach
- avoid fines
- implement proportionate security controls
4. Structure your business
- define responsibilities
- improved management processes and risk strategy
5. GDPR - EU General Data Protection Regulation (GDPR)
Is your organisation ready for the EU GDPR? ISO 27001 can be used to provide a basis for evidence of compliance with the GDPR.
The EU GDPR will apply across all EU member states, the official enforcement date is scheduled for 25th May 2018. This reform has significant implications for business, not only those based in the EU, but for all organisations operating within the EU market.
The GDPR aims to:
- Reinforce the rights of the individual
- Strengthen the EU internal market through new, clear and robust rules for the free movement of data
- Ensure consistent enforcement of these rules
- Set global data protection standards
- Safeguard a golden standard for data protection across all industries
To determine how ready your organisation is for certification you can use the NSAI self-assessment questionnaire.
For information on how to use the self-assessment questionnaire please see our video below.
For further information see ISO/IEC 27003 ‘Information technology - Security techniques - Information security management system implementation guidance’
ISO/IEC 27001:2022 and ISO/IEC 27003 can be purchased at www.standards.ie
- Get top management support
- Construct business case and Project Plan
- Define scope of system
- Conduct risk assessment and plan risk treatment
- Agree effective monitoring methodology and applicable KPI’s
- Train personnel
- Implement controls
- Operate and maintain ISMS
- Conduct audit of system and policies
- Management review
- Implement corrective actions and repeat as necessary
Context of the Organisation
- Needs and expectations of interested parties
- Scope of ISMS.
- demonstration of leadership and commitment by top management.
- Establishment of ISMS policies.
- Assignment of roles, responsibilities and authorities.
- Information security risk assessment
- Information security risk treatment.
- Statement of applicability
- Information security objectives and plan.
- Competence and awareness of personnel
- Documented information.
- Operational planning and control
- Information security risk assessment.
- Information security risk treatment.
- monitoring, measurement, analysis and evaluation.
- Internal audit.
- Management review.
- Nonconformity and corrective action
- Continual improvement.
Risk Treatment Controls
- Internal organisation
- Human resources
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Security incident management
- Business continuity
ISO/IEC 27001 Information Briefing - 15th & 16th October 2018
Thank you to everyone who attended our most recent information briefing on this international standard.
If you were unable to attend and would like to stay informed of any upcoming events you can do so by subscribing to the NSAI ezine at NSAI.ie
(You will find the subscription service at the bottom of the home page)
You can view a copy of our most recent presentation here.
- Applicant familiarises themselves with the requirements of the ISO/IEC 27001:2017 standard.
- Conducts a self-assessment - Download Self-Assessment Form
- Follow system implementation methodology
- Apply for Certification. - Download Request for Quotation form
- Send completed Request for Quotation form to firstname.lastname@example.org we will then return a quotation for certification specific to your organisation.
- To make a formal application sign the NSAI quotation and return to email@example.com
- NSAI auditor will make contact to agree phase 1 assessment dates
- Conduct certification audits
- Certification decision
If you wish to receive a no obligation quotation for certification to ISO/IEC 27001 please complete and return a copy of the RFQ Form